Ролевая модель и аудит Часть 1.

Makefile

@@ -87,11 +87,11 @@ test: eunit ## Запустить все тесты (алиас для eunit)
 
 eunit: ## Запустить EUnit тесты
 	@echo "Запуск EUnit тестов..."
-	@$(REBAR3) eunit --sname $(SNAME)_test
+	@$(REBAR3) eunit --sname $(SNAME)_test --verbose
 
 eunit-module: ## Запустить тесты для модуля (make eunit-module MODULE=core_calendar_tests)
 	@echo "Запуск тестов для модуля $(MODULE)..."
-	@$(REBAR3) eunit --sname $(SNAME)_test --module=$(MODULE)
+	@$(REBAR3) eunit --sname $(SNAME)_test --module=$(MODULE) --verbose
 
 eunit-verbose: ## Запустить EUnit тесты с подробным выводом
 	@echo "Запуск EUnit тестов (verbose)..."

include/records.hrl

@@ -7,7 +7,7 @@
   id              :: binary(),
   email           :: binary(),
   password_hash   :: binary(),
-  role            :: user | admin,
+  role            :: user | bot,
   status          :: active | frozen | deleted,
   created_at      :: calendar:datetime(),
   updated_at      :: calendar:datetime()
@@ -20,6 +20,25 @@
   type            :: access | refresh
 }).
 
+%% ------------------- АДМИНИСТРАТОРЫ ------------------------------------
+-record(admin, {
+  id              :: binary(),
+  email           :: binary(),
+  password_hash   :: binary(),
+  role            :: superadmin | moderator | support,
+  status          :: active | blocked,
+  created_at      :: calendar:datetime(),
+  updated_at      :: calendar:datetime()
+}).
+
+%% ------------------- СЕССИИ АДМИНИСТРАТОРОВ ---------------------------
+-record(admin_session, {
+  token           :: binary(),
+  admin_id        :: binary(),
+  expires_at      :: calendar:datetime(),
+  type            :: refresh
+}).
+
 %% ------------------- Календари ---------------------------------------
 -record(calendar, {
   id              :: binary(),

src/core/core_admin.erl

@@ -0,0 +1,63 @@
+-module(core_admin).
+-include("records.hrl").
+-export([create/3, get_by_email/1, get_by_id/1, list_all/0,
+  update_role/2, block/1, unblock/1, generate_id/0]).
+
+create(Email, Password, Role) ->
+  Id = generate_id(),
+  {ok, Hash} = argon2:hash(Password),
+  Now = calendar:universal_time(),
+  Admin = #admin{
+    id = Id,
+    email = Email,
+    password_hash = Hash,
+    role = Role,
+    status = active,
+    created_at = Now,
+    updated_at = Now
+  },
+  mnesia:dirty_write(Admin),
+  {ok, Admin}.
+
+get_by_email(Email) ->
+  Match = #admin{email = Email, _ = '_'},
+  case mnesia:dirty_match_object(Match) of
+    [Admin] -> {ok, Admin};
+    []      -> {error, not_found}
+  end.
+
+get_by_id(Id) ->
+  case mnesia:dirty_read({admin, Id}) of
+    [Admin] -> {ok, Admin};
+    []      -> {error, not_found}
+  end.
+
+list_all() ->
+  mnesia:dirty_match_object(#admin{_ = '_'}).
+
+update_role(Id, NewRole) when is_atom(NewRole) ->
+  case get_by_id(Id) of
+    {ok, Admin} ->
+      Updated = Admin#admin{role = NewRole, updated_at = calendar:universal_time()},
+      mnesia:dirty_write(Updated),
+      {ok, Updated};
+    Error -> Error
+  end.
+
+block(Id) ->
+  update_status(Id, blocked).
+
+unblock(Id) ->
+  update_status(Id, active).
+
+update_status(Id, Status) ->
+  case get_by_id(Id) of
+    {ok, Admin} ->
+      Updated = Admin#admin{status = Status, updated_at = calendar:universal_time()},
+      mnesia:dirty_write(Updated),
+      {ok, Updated};
+    Error -> Error
+  end.
+
+generate_id() ->
+  base64:encode(crypto:strong_rand_bytes(16), #{mode => urlsafe, padding => false}).

src/core/core_admin_session.erl

@@ -0,0 +1,35 @@
+-module(core_admin_session).
+-include("records.hrl").
+-export([create/2, validate/1, delete/1]).
+
+-spec create(AdminId :: binary(), RefreshToken :: binary()) -> ok.
+create(AdminId, RefreshToken) ->
+  Session = #admin_session{
+    token = RefreshToken,
+    admin_id = AdminId,
+    expires_at = calendar:gregorian_seconds_to_datetime(
+      calendar:datetime_to_gregorian_seconds(calendar:universal_time()) + 30 * 24 * 3600),
+    type = refresh
+  },
+  mnesia:dirty_write(Session),
+  ok.
+
+-spec validate(Token :: binary()) -> {ok, AdminId :: binary()} | {error, not_found | expired}.
+validate(Token) ->
+  case mnesia:dirty_read({admin_session, Token}) of
+    [Session] ->
+      case Session#admin_session.expires_at > calendar:universal_time() of
+        true ->
+          {ok, Session#admin_session.admin_id};
+        false ->
+          mnesia:dirty_delete({admin_session, Token}),
+          {error, expired}
+      end;
+    [] ->
+      {error, not_found}
+  end.
+
+-spec delete(Token :: binary()) -> ok.
+delete(Token) ->
+  mnesia:dirty_delete({admin_session, Token}),
+  ok.

src/core/core_session.erl

@@ -0,0 +1,41 @@
+-module(core_session).
+-include("records.hrl").
+-export([create/2, validate/1, delete/1]).
+
+-spec create(UserId :: binary(), RefreshToken :: binary()) -> ok.
+create(UserId, RefreshToken) ->
+  Session = #session{
+    token = RefreshToken,
+    user_id = UserId,
+    expires_at = calendar:gregorian_seconds_to_datetime(
+      calendar:datetime_to_gregorian_seconds(calendar:universal_time()) + 30 * 24 * 3600),
+    type = refresh
+  },
+  mnesia:dirty_write(Session),
+  ok.
+
+-spec validate(Token :: binary()) -> {ok, UserId :: binary(), User :: #user{}} | {error, not_found | expired}.
+validate(Token) ->
+  case mnesia:dirty_read({session, Token}) of
+    [Session] ->
+      case Session#session.expires_at > calendar:universal_time() of
+        true ->
+          % Получаем пользователя по ID из сессии
+          case mnesia:dirty_read({user, Session#session.user_id}) of
+            [User] ->
+              {ok, Session#session.user_id, User};
+            [] ->
+              {error, not_found}
+          end;
+        false ->
+          mnesia:dirty_delete({session, Token}),
+          {error, expired}
+      end;
+    [] ->
+      {error, not_found}
+  end.
+
+-spec delete(Token :: binary()) -> ok.
+delete(Token) ->
+  mnesia:dirty_delete({session, Token}),
+  ok.

src/handlers/admin/admin_handler_banned_words.erl

@@ -95,7 +95,7 @@ update_banned_word(Word, Req) ->
 auth_admin(Req) ->
   case handler_auth:authenticate(Req) of
     {ok, AdminId, Req1} ->
-      case is_admin(AdminId) of
+      case admin_utils:is_admin(AdminId) of
         true  -> {ok, AdminId, Req1};
         false -> {error, 403, <<"Admin access required">>, Req1}
       end;
@@ -103,15 +103,6 @@ auth_admin(Req) ->
       {error, Code, Message, Req1}
   end.
 
-is_admin(UserId) ->
-  case core_user:get_by_id(UserId) of
-    {ok, User} ->
-      Role = User#user.role,
-      Role =:= admin orelse Role =:= superadmin orelse
-        Role =:= moderator orelse Role =:= support;
-    _ -> false
-  end.
-
 banned_word_to_json(BW) ->
   #{
     id        => BW#banned_word.id,

src/handlers/admin/admin_handler_health.erl

@@ -1,15 +1,18 @@
 -module(admin_handler_health).
-
+-behaviour(cowboy_handler).
 -export([init/2]).
 
-init(Req, _Opts) ->
+init(Req, State) ->
   case cowboy_req:method(Req) of
     <<"GET">> ->
       Body = jsx:encode(#{status => <<"ok">>}),
-      Req1 = cowboy_req:reply(200, #{<<"content-type">> => <<"application/json">>}, Body, Req),
+      Req2 = cowboy_req:reply(200, #{<<"content-type">> => <<"application/json">>}, Body, Req),
-      {ok, Req1, []};
+      {ok, Req2, State};
     _ ->
-      Body = jsx:encode(#{error => <<"Method not allowed">>}),
+      send_error(Req, 405, <<"Method not allowed">>)
-      Req1 = cowboy_req:reply(405, #{<<"content-type">> => <<"application/json">>}, Body, Req),
+  end.
-      {ok, Req1, []}
+
-  end.
+send_error(Req, Status, Message) ->
+  Body = jsx:encode(#{error => Message}),
+  Req2 = cowboy_req:reply(Status, #{<<"content-type">> => <<"application/json">>}, Body, Req),
+  {ok, Req2, []}.

src/handlers/admin/admin_handler_login.erl

@@ -12,13 +12,18 @@ init(Req0, State) ->
             #{<<"email">> := Email, <<"password">> := Password} ->
               case eventhub_auth:authenticate_admin_request(Req1, Email, Password) of
                 {ok, Token, User} ->
+                  % Генерация refresh-токена для администратора
+                  {RefreshToken, _ExpiresAt} = eventhub_auth:generate_refresh_token(maps:get(id, User)),
+                  % Сохранение refresh-токена в admin_session
+                  core_admin_session:create(maps:get(id, User), RefreshToken),
                   Resp = jsx:encode(#{
                     <<"token">> => Token,
                     <<"user">> => #{
                       <<"id">> => maps:get(id, User),
                       <<"email">> => maps:get(email, User),
                       <<"role">> => maps:get(role, User)
-                    }
+                    },
+                    <<"refresh_token">> => RefreshToken
                   }),
                   Req2 = cowboy_req:reply(200, #{
                     <<"content-type">> => <<"application/json">>,
@@ -26,14 +31,16 @@ init(Req0, State) ->
                   }, Resp, Req1),
                   {ok, Req2, State};
                 {error, insufficient_permissions} ->
-                  error_response(403, insufficient_permissions, Req1, State);
+                  error_response(403, <<"insufficient_permissions">>, Req1, State);
+                {error, Reason} when is_atom(Reason) ->
+                  error_response(401, atom_to_binary(Reason, utf8), Req1, State);
                 {error, Reason} ->
                   error_response(401, Reason, Req1, State)
               end;
             _ ->
-              error_response(400, <<"invalid_request">>, Req1, State)
+              error_response(400, <<"Missing email or password">>, Req1, State)
           catch
-            _:_ -> error_response(400, <<"invalid_request">>, Req1, State)
+            _:_ -> error_response(400, <<"Invalid JSON">>, Req1, State)
           end;
         false ->
           error_response(400, <<"Missing request body">>, Req0, State)

src/handlers/admin/admin_handler_moderation.erl

@@ -99,7 +99,7 @@ handle_user(_Id, _Action, Req) ->
 auth_admin(Req) ->
   case handler_auth:authenticate(Req) of
     {ok, AdminId, Req1} ->
-      case is_admin(AdminId) of
+      case admin_utils:is_admin(AdminId) of
         true  -> {ok, AdminId, Req1};
         false -> {error, 403, <<"Admin access required">>, Req1}
       end;
@@ -107,15 +107,6 @@ auth_admin(Req) ->
       {error, Code, Message, Req1}
   end.
 
-is_admin(UserId) ->
-  case core_user:get_by_id(UserId) of
-    {ok, User} ->
-      Role = User#user.role,
-      Role =:= admin orelse Role =:= superadmin orelse
-        Role =:= moderator orelse Role =:= support;
-    _ -> false
-  end.
-
 calendar_to_json(C) ->
   #{
     id     => C#calendar.id,

src/handlers/admin/admin_handler_report_by_id.erl

@@ -14,7 +14,7 @@ init(Req, _Opts) ->
 get_report(Req) ->
   case handler_auth:authenticate(Req) of
     {ok, AdminId, Req1} ->
-      case is_admin(AdminId) of
+      case admin_utils:is_admin(AdminId) of
         true ->
           ReportId = cowboy_req:binding(id, Req1),
           case core_report:get_by_id(ReportId) of
@@ -33,7 +33,7 @@ get_report(Req) ->
 update_report(Req) ->
   case handler_auth:authenticate(Req) of
     {ok, AdminId, Req1} ->
-      case is_admin(AdminId) of
+      case admin_utils:is_admin(AdminId) of
         true ->
           ReportId = cowboy_req:binding(id, Req1),
           {ok, Body, Req2} = cowboy_req:read_body(Req1),
@@ -60,15 +60,6 @@ update_report(Req) ->
       send_error(Req1, Code, Message)
   end.
 
-is_admin(UserId) ->
-  case core_user:get_by_id(UserId) of
-    {ok, User} ->
-      Role = User#user.role,
-      Role =:= admin orelse Role =:= superadmin orelse
-        Role =:= moderator orelse Role =:= support;
-    _ -> false
-  end.
-
 report_to_json(R) ->
   #{
     id           => R#report.id,

src/handlers/admin/admin_handler_reports.erl

@@ -8,13 +8,13 @@ init(Req, _Opts) ->
   case cowboy_req:method(Req) of
     <<"GET">> -> list_reports(Req);
     <<"PUT">> -> update_report(Req);
-    _         -> send_error(Req, 405, <<"Method not allowed">>)
+    _ -> send_error(Req, 405, <<"Method not allowed">>)
   end.
 
 list_reports(Req) ->
   case handler_auth:authenticate(Req) of
     {ok, AdminId, Req1} ->
-      case is_admin(AdminId) of
+      case admin_utils:is_admin(AdminId) of
         true ->
           {ok, Reports} = core_report:list_all(),
           send_json(Req1, 200, [report_to_json(R) || R <- Reports]);
@@ -28,7 +28,7 @@ list_reports(Req) ->
 update_report(Req) ->
   case handler_auth:authenticate(Req) of
     {ok, AdminId, Req1} ->
-      case is_admin(AdminId) of
+      case admin_utils:is_admin(AdminId) of
         true ->
           ReportId = cowboy_req:binding(id, Req1),
           {ok, Body, Req2} = cowboy_req:read_body(Req1),
@@ -54,15 +54,6 @@ update_report(Req) ->
       send_error(Req1, Code, Message)
   end.
 
-is_admin(UserId) ->
-  case core_user:get_by_id(UserId) of
-    {ok, User} ->
-      Role = User#user.role,
-      Role =:= admin orelse Role =:= superadmin orelse
-        Role =:= moderator orelse Role =:= support;
-    _ -> false
-  end.
-
 report_to_json(R) ->
   #{
     id           => R#report.id,

src/handlers/admin/admin_handler_reviews.erl

@@ -14,7 +14,7 @@ init(Req, _Opts) ->
 get_review(Req) ->
   case handler_auth:authenticate(Req) of
     {ok, AdminId, Req1} ->
-      case is_admin(AdminId) of
+      case admin_utils:is_admin(AdminId) of
         true ->
           ReviewId = cowboy_req:binding(id, Req1),
           case core_review:get_by_id(ReviewId) of
@@ -33,7 +33,7 @@ get_review(Req) ->
 update_review(Req) ->
   case handler_auth:authenticate(Req) of
     {ok, AdminId, Req1} ->
-      case is_admin(AdminId) of
+      case admin_utils:is_admin(AdminId) of
         true ->
           ReviewId = cowboy_req:binding(id, Req1),
           {ok, Body, Req2} = cowboy_req:read_body(Req1),
@@ -59,15 +59,6 @@ update_review(Req) ->
       send_error(Req1, Code, Message)
   end.
 
-is_admin(UserId) ->
-  case core_user:get_by_id(UserId) of
-    {ok, User} ->
-      Role = User#user.role,
-      Role =:= admin orelse Role =:= superadmin orelse
-        Role =:= moderator orelse Role =:= support;
-    _ -> false
-  end.
-
 review_to_json(R) ->
   #{
     id          => R#review.id,

src/handlers/admin/admin_handler_stats.erl

@@ -1,14 +1,8 @@
 -module(admin_handler_stats).
 -include("records.hrl").
 -export([init/2]).
--export([count_users/0, count_calendars/0, count_events/0, count_bookings/0,
-  count_reviews/0, count_reports/0, count_tickets/0, count_subscriptions/0]).
--export([is_admin/1]).
 
-init(Req, Opts) ->
+init(Req, _Opts) ->
-  handle(Req, Opts).
-
-handle(Req, _Opts) ->
   case cowboy_req:method(Req) of
     <<"GET">> -> get_stats(Req);
     _ -> send_error(Req, 405, <<"Method not allowed">>)
@@ -17,7 +11,7 @@ handle(Req, _Opts) ->
 get_stats(Req) ->
   case handler_auth:authenticate(Req) of
     {ok, AdminId, Req1} ->
-      case is_admin(AdminId) of
+      case admin_utils:is_admin(AdminId) of
         true ->
           Stats = #{
             users => count_users(),
@@ -37,16 +31,6 @@ get_stats(Req) ->
       send_error(Req1, Code, Message)
   end.
 
-%% Вспомогательные функции
-is_admin(UserId) ->
-  case core_user:get_by_id(UserId) of
-    {ok, User} ->
-      Role = User#user.role,
-      Role =:= admin orelse Role =:= superadmin orelse
-        Role =:= moderator orelse Role =:= support;
-    _ -> false
-  end.
-
 count_users() -> length(mnesia:dirty_match_object(#user{_ = '_'})).
 count_calendars() -> length(mnesia:dirty_match_object(#calendar{_ = '_'})).
 count_events() -> length(mnesia:dirty_match_object(#event{is_instance = false, _ = '_'})).

src/handlers/admin/admin_handler_subscriptions.erl

@@ -114,7 +114,7 @@ delete_subscription(SubscriptionId, Req) ->
 auth_admin(Req) ->
   case handler_auth:authenticate(Req) of
     {ok, AdminId, Req1} ->
-      case is_admin(AdminId) of
+      case admin_utils:is_admin(AdminId) of
         true  -> {ok, AdminId, Req1};
         false -> {error, 403, <<"Admin access required">>, Req1}
       end;
@@ -122,15 +122,6 @@ auth_admin(Req) ->
       {error, Code, Message, Req1}
   end.
 
-is_admin(UserId) ->
-  case core_user:get_by_id(UserId) of
-    {ok, User} ->
-      Role = User#user.role,
-      Role =:= admin orelse Role =:= superadmin orelse
-        Role =:= moderator orelse Role =:= support;
-    _ -> false
-  end.
-
 subscription_to_json(S) ->
   #{
     id          => S#subscription.id,

src/handlers/admin/admin_handler_ticket_by_id.erl

@@ -67,7 +67,7 @@ delete_ticket(Req) ->
 auth_admin(Req) ->
   case handler_auth:authenticate(Req) of
     {ok, AdminId, Req1} ->
-      case is_admin(AdminId) of
+      case admin_utils:is_admin(AdminId) of
         true  -> {ok, AdminId, Req1};
         false -> {error, 403, <<"Admin access required">>, Req1}
       end;
@@ -75,15 +75,6 @@ auth_admin(Req) ->
       {error, Code, Message, Req1}
   end.
 
-is_admin(UserId) ->
-  case core_user:get_by_id(UserId) of
-    {ok, User} ->
-      Role = User#user.role,
-      Role =:= admin orelse Role =:= superadmin orelse
-        Role =:= moderator orelse Role =:= support;
-    _ -> false
-  end.
-
 ticket_to_json(T) ->
   #{
     id              => T#ticket.id,

src/handlers/admin/admin_handler_ticket_stats.erl

@@ -22,7 +22,7 @@ get_stats(Req) ->
 auth_admin(Req) ->
   case handler_auth:authenticate(Req) of
     {ok, AdminId, Req1} ->
-      case is_admin(AdminId) of
+      case admin_utils:is_admin(AdminId) of
         true  -> {ok, AdminId, Req1};
         false -> {error, 403, <<"Admin access required">>, Req1}
       end;
@@ -30,15 +30,6 @@ auth_admin(Req) ->
       {error, Code, Message, Req1}
   end.
 
-is_admin(UserId) ->
-  case core_user:get_by_id(UserId) of
-    {ok, User} ->
-      Role = User#user.role,
-      Role =:= admin orelse Role =:= superadmin orelse
-        Role =:= moderator orelse Role =:= support;
-    _ -> false
-  end.
-
 send_json(Req, Status, Data) ->
   Body = jsx:encode(Data),
   cowboy_req:reply(Status, #{<<"content-type">> => <<"application/json">>}, Body, Req),

src/handlers/admin/admin_handler_tickets.erl

@@ -112,7 +112,7 @@ delete_ticket(TicketId, Req) ->
 auth_admin(Req) ->
   case handler_auth:authenticate(Req) of
     {ok, AdminId, Req1} ->
-      case is_admin(AdminId) of
+      case admin_utils:is_admin(AdminId) of
         true  -> {ok, AdminId, Req1};
         false -> {error, 403, <<"Admin access required">>, Req1}
       end;
@@ -120,15 +120,6 @@ auth_admin(Req) ->
       {error, Code, Message, Req1}
   end.
 
-is_admin(UserId) ->
-  case core_user:get_by_id(UserId) of
-    {ok, User} ->
-      Role = User#user.role,
-      Role =:= admin orelse Role =:= superadmin orelse
-        Role =:= moderator orelse Role =:= support;
-    _ -> false
-  end.
-
 ticket_to_json(T) ->
   #{
     id              => T#ticket.id,

src/handlers/admin/admin_handler_user_by_id.erl

@@ -1,28 +1,22 @@
 -module(admin_handler_user_by_id).
 -include("records.hrl").
 -export([init/2]).
--export([user_to_json/1, convert_updates/1]).
 
-init(Req, Opts) ->
+init(Req, _Opts) ->
-  handle(Req, Opts).
-
-handle(Req, _Opts) ->
   case cowboy_req:method(Req) of
-    <<"GET">>    -> get_user(Req);
+    <<"GET">> -> get_user(Req);
-    <<"PUT">>    -> update_user(Req);
+    <<"PUT">> -> update_user(Req);
     <<"DELETE">> -> delete_user(Req);
-    _            -> send_error(Req, 405, <<"Method not allowed">>)
+    _ -> send_error(Req, 405, <<"Method not allowed">>)
   end.
 
 get_user(Req) ->
   case handler_auth:authenticate(Req) of
     {ok, AdminId, Req1} ->
-      case is_admin(AdminId) of
+      case admin_utils:is_admin(AdminId) of
         true ->
           UserId = cowboy_req:binding(id, Req1),
           case core_user:get_by_id(UserId) of
-            {ok, User} when User#user.status =:= deleted ->
-              send_error(Req1, 404, <<"User not found">>);
             {ok, User} ->
               send_json(Req1, 200, user_to_json(User));
             {error, not_found} ->
@@ -38,7 +32,7 @@ get_user(Req) ->
 update_user(Req) ->
   case handler_auth:authenticate(Req) of
     {ok, AdminId, Req1} ->
-      case is_admin(AdminId) of
+      case admin_utils:is_admin(AdminId) of
         true ->
           UserId = cowboy_req:binding(id, Req1),
           {ok, Body, Req2} = cowboy_req:read_body(Req1),
@@ -69,7 +63,7 @@ update_user(Req) ->
 delete_user(Req) ->
   case handler_auth:authenticate(Req) of
     {ok, AdminId, Req1} ->
-      case is_admin(AdminId) of
+      case admin_utils:is_admin(AdminId) of
         true ->
           UserId = cowboy_req:binding(id, Req1),
           case core_user:delete(UserId) of
@@ -85,12 +79,6 @@ delete_user(Req) ->
       send_error(Req1, Code, Message)
   end.
 
-is_admin(UserId) ->
-  case core_user:get_by_id(UserId) of
-    {ok, User} -> User#user.role =:= admin;
-    _ -> false
-  end.
-
 user_to_json(User) ->
   #{
     id         => User#user.id,

src/handlers/admin/admin_handler_users.erl

@@ -1,35 +1,40 @@
 -module(admin_handler_users).
--behaviour(cowboy_handler).
+-include("records.hrl").
 -export([init/2]).
 
 init(Req, _Opts) ->
   case cowboy_req:method(Req) of
-    <<"GET">> ->
+    <<"GET">> -> list_users(Req);
-      case handler_auth:authenticate(Req) of
+    _ -> send_error(Req, 405, <<"Method not allowed">>)
-        {ok, _UserId, Req1} ->
-          {ok, Users} = core_user:list_users(),
-          Response = [user_to_map(U) || U <- Users],
-          send_json(Req1, 200, Response);
-        {error, Code, Message, Req1} ->
-          send_error(Req1, Code, Message)
-      end;
-    _ ->
-      send_error(Req, 405, <<"Method not allowed">>)
   end.
 
-user_to_map(User) ->
+list_users(Req) ->
+  case handler_auth:authenticate(Req) of
+    {ok, AdminId, Req1} ->
+      case admin_utils:is_admin(AdminId) of
+        true ->
+          Users = core_user:list_users(),
+          send_json(Req1, 200, [user_to_json(U) || U <- Users]);
+        false ->
+          send_error(Req1, 403, <<"Admin access required">>)
+      end;
+    {error, Code, Message, Req1} ->
+      send_error(Req1, Code, Message)
+  end.
+
+user_to_json(U) ->
   #{
-    id => maps:get(id, User),
+    id => U#user.id,
-    email => maps:get(email, User),
+    email => U#user.email,
-    role => maps:get(role, User),
+    role => U#user.role,
-    status => maps:get(status, User),
+    status => U#user.status,
-    created_at => datetime_to_iso8601(maps:get(created_at, User)),
+    created_at => datetime_to_iso8601(U#user.created_at),
-    updated_at => datetime_to_iso8601(maps:get(updated_at, User))
+    updated_at => datetime_to_iso8601(U#user.updated_at)
   }.
 
-datetime_to_iso8601({{Year, Month, Day}, {Hour, Minute, Second}}) ->
+datetime_to_iso8601({{Y,M,D},{H,Min,S}}) ->
-  iolist_to_binary(io_lib:format("~4..0B-~2..0B-~2..0BT~2..0B:~2..0B:~2..0BZ",
+  iolist_to_binary(io_lib:format("~4..0B-~2..0B-~2..0BT~2..0B:~2..0B:~2..0BZ", [Y,M,D,H,Min,S]));
-    [Year, Month, Day, Hour, Minute, Second])).
+datetime_to_iso8601(_) -> null.
 
 send_json(Req, Status, Data) ->
   Body = jsx:encode(Data),

src/handlers/admin/admin_ws_handler.erl

@@ -22,7 +22,7 @@ init(Req, _Opts) ->
       case logic_auth:verify_jwt(Token) of
         {ok, UserId, Role} ->
           io:format("[ADMIN_WS] UserId: ~s, Role: ~s~n", [UserId, Role]),
-          case is_admin_role(Role) of
+          case admin_utils:is_admin(Role) of
             true ->
               io:format("[ADMIN_WS] Admin access granted~n"),
               {cowboy_websocket, Req, #state{admin_id = UserId}};
@@ -81,7 +81,4 @@ websocket_info(_Info, State) ->
 
 terminate(_Reason, _Req, _State) ->
   pg:leave(eventhub_admin_ws, self()),
-  ok.
+  ok.
-
-is_admin_role(Role) ->
-  lists:member(Role, [<<"admin">>, <<"superadmin">>, <<"moderator">>, <<"support">>]).

src/handlers/handler_login.erl

@@ -2,7 +2,7 @@
 -behaviour(cowboy_handler).
 -export([init/2]).
 
--include("records.hrl").   %% ← необходим для #session{}
+-include("records.hrl").
 
 init(Req0, State) ->
   handle(Req0, State).
@@ -21,8 +21,8 @@ handle(Req, _Opts) ->
                 #{<<"email">> := Email, <<"password">> := Password} ->
                   case eventhub_auth:authenticate_user_request(Req1, Email, Password) of
                     {ok, Token, User} ->
-                      {RefreshToken, ExpiresAt} = eventhub_auth:generate_refresh_token(maps:get(id, User)),
+                      {RefreshToken, _ExpiresAt} = eventhub_auth:generate_refresh_token(maps:get(id, User)),
-                      save_refresh_token(maps:get(id, User), RefreshToken, ExpiresAt),
+                      core_session:create(maps:get(id, User), RefreshToken),
                       Response = #{
                         user => #{
                           id => maps:get(id, User),
@@ -53,15 +53,6 @@ handle(Req, _Opts) ->
       send_error(Req, 405, <<"Method not allowed">>)
   end.
 
-save_refresh_token(UserId, Token, ExpiresAt) ->
-  Session = #session{          %% record определён в records.hrl
-    token = Token,
-    user_id = UserId,
-    expires_at = ExpiresAt,
-    type = refresh
-  },
-  mnesia:dirty_write(Session).
-
 send_json(Req, Status, Data) ->
   Body = jsx:encode(Data),
   cowboy_req:reply(Status, #{

src/handlers/handler_refresh.erl

@@ -8,41 +8,12 @@ init(Req0, _Opts) ->
       {ok, Body, Req1} = cowboy_req:read_body(Req0),
       try jsx:decode(Body, [return_maps]) of
         #{<<"refresh_token">> := RefreshToken} ->
-          case get_session(RefreshToken) of
+          case find_and_refresh(RefreshToken) of
-            {ok, Session} ->
+            {ok, NewTokenPair} ->
-              % Проверяем, не истекла ли сессия
+              Resp = jsx:encode(NewTokenPair),
-              case Session#session.expires_at > calendar:universal_time() of
+              cowboy_req:reply(200, #{<<"content-type">> => <<"application/json">>}, Resp, Req1);
-                true ->
+            {error, Reason} ->
-                  % Генерируем новый access-токен и refresh-токен
+              send_error(Req1, 401, Reason)
-                  User = get_user(Session#session.user_id),
-                  NewToken = eventhub_auth:generate_user_token(
-                    User#user.id,
-                    atom_to_binary(User#user.role, utf8)
-                  ),
-                  {NewRefreshToken, ExpiresAt} =
-                    eventhub_auth:generate_refresh_token(User#user.id),
-                  % Удаляем старую сессию и сохраняем новую
-                  mnesia:dirty_delete_object(Session),
-                  NewSession = #session{
-                    token = NewRefreshToken,
-                    user_id = User#user.id,
-                    expires_at = ExpiresAt,
-                    type = refresh
-                  },
-                  mnesia:dirty_write(NewSession),
-                  Resp = jsx:encode(#{
-                    token => NewToken,
-                    refresh_token => NewRefreshToken
-                  }),
-                  cowboy_req:reply(200, #{
-                    <<"content-type">> => <<"application/json">>
-                  }, Resp, Req1);
-                false ->
-                  mnesia:dirty_delete_object(Session),
-                  send_error(Req1, 401, <<"Refresh token expired">>)
-              end;
-            {error, not_found} ->
-              send_error(Req1, 401, <<"Refresh token not found">>)
           end;
         _ ->
           send_error(Req1, 400, <<"Missing refresh_token field">>)
@@ -53,15 +24,50 @@ init(Req0, _Opts) ->
       send_error(Req0, 405, <<"Method not allowed">>)
   end.
 
-get_session(Token) ->
+%% --------------------------------------------------------
-  case mnesia:dirty_read({session, Token}) of
+%% Общая логика: проверяет обе таблицы сессий
-    [Session] -> {ok, Session};
+%% --------------------------------------------------------
-    [] -> {error, not_found}
+
+find_and_refresh(RefreshToken) ->
+  case core_session:validate(RefreshToken) of
+    {ok, UserId, User} ->
+      user_refresh(UserId, User, RefreshToken);
+    {error, not_found} ->
+      case core_admin_session:validate(RefreshToken) of
+        {ok, AdminId} ->
+          admin_refresh(AdminId, RefreshToken);
+        {error, not_found} ->
+          {error, <<"Refresh token not found">>};
+        {error, expired} ->
+          {error, <<"Refresh token expired">>}
+      end;
+    {error, expired} ->
+      {error, <<"Refresh token expired">>}
   end.
 
-get_user(UserId) ->
+user_refresh(UserId, User, OldToken) ->
-  [User] = mnesia:dirty_read({user, UserId}),
+  % Удаляем старый refresh-токен
-  User.
+  core_session:delete(OldToken),
+  % Генерируем новый access-токен и refresh-токен
+  Role = atom_to_binary(User#user.role, utf8),
+  NewToken = eventhub_auth:generate_user_token(UserId, Role),
+  {NewRefreshToken, _ExpiresAt} = eventhub_auth:generate_refresh_token(UserId),
+  % Сохраняем новый refresh-токен в таблице session
+  core_session:create(UserId, NewRefreshToken),
+  {ok, #{token => NewToken, refresh_token => NewRefreshToken}}.
+
+admin_refresh(AdminId, OldToken) ->
+  % Удаляем старый refresh-токен
+  core_admin_session:delete(OldToken),
+  % Получаем роль админа
+  {ok, Admin} = core_admin:get_by_id(AdminId),
+  Role = atom_to_binary(Admin#admin.role, utf8),
+  % Генерируем новый access-токен и refresh-токен
+  NewToken = eventhub_auth:generate_admin_token(AdminId, Role),
+  {NewRefreshToken, _ExpiresAt} = eventhub_auth:generate_refresh_token(AdminId),
+  % Сохраняем новый refresh-токен в таблице admin_session
+  core_admin_session:create(AdminId, NewRefreshToken),
+  {ok, #{token => NewToken, refresh_token => NewRefreshToken}}.
 
 send_error(Req, Status, Message) ->
   Body = jsx:encode(#{error => Message}),

src/handlers/handler_ticket_by_id.erl

@@ -19,7 +19,7 @@ get_ticket(Req) ->
       case core_ticket:get_by_id(TicketId) of
         {ok, Ticket} ->
           io:format("[TICKET_BY_ID] Found ticket, reporter_id: ~s~n", [Ticket#ticket.reporter_id]),
-          case is_admin(UserId) orelse Ticket#ticket.reporter_id =:= UserId of
+          case Ticket#ticket.reporter_id =:= UserId of
             true  ->
               io:format("[TICKET_BY_ID] Access granted~n"),
               send_json(Req1, 200, ticket_to_json(Ticket));
@@ -45,7 +45,7 @@ update_ticket(Req) ->
         Updates when is_map(Updates) ->
           case core_ticket:get_by_id(TicketId) of
             {ok, Ticket} ->
-              case is_admin(UserId) orelse Ticket#ticket.reporter_id =:= UserId of
+              case Ticket#ticket.reporter_id =:= UserId of
                 true ->
                   case core_ticket:update_ticket(TicketId, Updates) of
                     {ok, Updated} -> send_json(Req2, 200, ticket_to_json(Updated));
@@ -63,12 +63,6 @@ update_ticket(Req) ->
       send_error(Req1, Code, Message)
   end.
 
-is_admin(UserId) ->
-  case core_user:get_by_id(UserId) of
-    {ok, U} -> lists:member(U#user.role, [admin, superadmin, moderator, support]);
-    _       -> false
-  end.
-
 ticket_to_json(T) ->
   #{
     id              => T#ticket.id,

src/handlers/handler_tickets.erl

@@ -17,7 +17,7 @@ handle(Req, _Opts) ->
 list_tickets(Req) ->
   case handler_auth:authenticate(Req) of
     {ok, UserId, Req1} ->
-      case is_admin(UserId) of
+      case admin_utils:is_admin(UserId) of
         true ->
           Tickets = core_ticket:list_all(),
           send_json(Req1, 200, [ticket_to_json(T) || T <- Tickets]);
@@ -51,13 +51,6 @@ create_ticket(Req) ->
       send_error(Req1, Code, Message)
   end.
 
-is_admin(UserId) ->
-  case core_user:get_by_id(UserId) of
-    {ok, User} ->
-      lists:member(User#user.role, [admin, superadmin, moderator, support]);
-    _ -> false
-  end.
-
 ticket_to_json(T) ->
   #{
     id              => T#ticket.id,

src/infra/admin_utils.erl

@@ -0,0 +1,13 @@
+-module(admin_utils).
+-include("records.hrl").
+
+-export([is_admin/1]).
+
+is_admin(UserId) ->
+  case core_admin:get_by_id(UserId) of
+    {ok, User} ->
+      Role = User#admin.role,
+      Role =:= admin orelse Role =:= superadmin orelse
+        Role =:= moderator orelse Role =:= support;
+    _ -> false
+  end.

src/infra/eventhub_auth.erl

@@ -130,14 +130,14 @@ authenticate_user_request(_Req, Email, Password) ->
 -spec authenticate_admin_request(Req :: cowboy_req:req(), Email :: binary(), Password :: binary()) ->
   {ok, Token :: binary(), User :: map()} | {error, atom()}.
 authenticate_admin_request(_Req, Email, Password) ->
-  case logic_auth:authenticate_user(Email, Password) of
+  case logic_auth:authenticate_admin(Email, Password) of
-    {ok, User} ->
+    {ok, AdminMap} ->
-      Role = maps:get(role, User, <<"admin">>),
+      Role = maps:get(role, AdminMap, <<"admin">>),
-      case is_admin_role(Role) of
+      case admin_utils:is_admin(Role) of
         true ->
-          UserId = maps:get(id, User),
+          AdminId = maps:get(id, AdminMap),
-          Token = generate_admin_token(UserId, Role),
+          Token = generate_admin_token(AdminId, Role),
-          {ok, Token, User};
+          {ok, Token, AdminMap};
         false -> {error, insufficient_permissions}
       end;
     Error -> Error
@@ -152,9 +152,4 @@ generate_refresh_token(_UserId) ->
   ExpiresAt = calendar:gregorian_seconds_to_datetime(
     calendar:datetime_to_gregorian_seconds(Now) + 30 * 24 * 3600
   ),
-  {RefreshToken, ExpiresAt}.
+  {RefreshToken, ExpiresAt}.
-
-%% ========== ВНУТРЕННИЕ ==========
-
-is_admin_role(Role) ->
-  lists:member(Role, [<<"admin">>, <<"superadmin">>, <<"moderator">>, <<"support">>]).

src/infra/infra_mnesia.erl

@@ -8,7 +8,7 @@
 -export([init/1, handle_call/3, handle_cast/2, handle_info/2, terminate/2, code_change/3]).
 
 -define(TABLES, [
-  user, session, calendar, calendar_share, event, recurrence_exception,
+  user, session, admin, admin_session, calendar, calendar_share, event, recurrence_exception,
   booking, review, report, banned_word, ticket, subscription, audit_log
 ]).
 
@@ -62,7 +62,7 @@ create_table(Table) ->
     {atomic, ok} ->
       ok;
     {aborted, {already_exists, _}} ->
-      ok;
+      ok;   % таблица уже существует – пропускаем
     {aborted, Reason} ->
       error({table_creation_failed, Table, Reason})
   end.
@@ -78,6 +78,16 @@ table_opts(session) ->
     {attributes, record_info(fields, session)},
     {ram_copies, [node()]}
   ];
+table_opts(admin) ->
+  [
+    {attributes, record_info(fields, admin)},
+    {ram_copies, [node()]}
+  ];
+table_opts(admin_session) ->
+  [
+    {attributes, record_info(fields, admin_session)},
+    {ram_copies, [node()]}
+  ];
 table_opts(calendar) ->
   [
     {attributes, record_info(fields, calendar)},

src/logic/logic_auth.erl

@@ -2,7 +2,8 @@
 -export([hash_password/1, verify_password/2,
   generate_jwt/2, verify_jwt/1,
   generate_refresh_token/1,
-  authenticate_user/2]).
+  authenticate_user/2,
+  authenticate_admin/2]).
 
 -include("records.hrl").
 
@@ -26,18 +27,27 @@ authenticate_user(Email, Password) ->
     {ok, User} ->
       case verify_password(Password, User#user.password_hash) of
         {ok, true} ->
-          {ok, user_to_map(User)};
+          {ok, #{
-        _ ->
+            id => User#user.id,
-          {error, invalid_credentials}
+            email => User#user.email,
+            role => atom_to_binary(User#user.role, utf8)
+          }};
+        _ -> {error, invalid_credentials}
       end;
-    {error, not_found} ->
+    {error, not_found} -> {error, invalid_credentials}
-      {error, invalid_credentials}
   end.
 
-user_to_map(User) ->
+authenticate_admin(Email, Password) ->
-  #{
+  case core_admin:get_by_email(Email) of
-    id => User#user.id,
+    {ok, Admin} ->
-    email => User#user.email,
+      case verify_password(Password, Admin#admin.password_hash) of
-    role => atom_to_binary(User#user.role, utf8),
+        {ok, true} ->
-    status => atom_to_binary(User#user.status, utf8)
+          {ok, #{
-  }.
+            id => Admin#admin.id,
+            email => Admin#admin.email,
+            role => atom_to_binary(Admin#admin.role, utf8)
+          }};
+        _ -> {error, invalid_credentials}
+      end;
+    {error, not_found} -> {error, invalid_credentials}
+  end.

src/logic/logic_moderation.erl

@@ -43,20 +43,20 @@ create_report(ReporterId, TargetType, TargetId, Reason) ->
   end.
 
 get_reports(AdminId) ->
-  case is_admin(AdminId) of
+  case admin_utils:is_admin(AdminId) of
     true  -> core_report:list_all();
     false -> {error, access_denied}
   end.
 
 get_reports_by_target(AdminId, TargetType, TargetId) ->
-  case is_admin(AdminId) of
+  case admin_utils:is_admin(AdminId) of
     true  -> core_report:list_by_target(TargetType, TargetId);
     false -> {error, access_denied}
   end.
 
 resolve_report(AdminId, ReportId, Action)
   when Action =:= reviewed; Action =:= dismissed ->
-  case is_admin(AdminId) of
+  case admin_utils:is_admin(AdminId) of
     true ->
       case core_report:get_by_id(ReportId) of
         {ok, Report} ->
@@ -99,19 +99,19 @@ auto_freeze(_, _) -> ok.
 %% ============ Бан-лист ===================================
 
 add_banned_word(AdminId, Word) ->
-  case is_admin(AdminId) of
+  case admin_utils:is_admin(AdminId) of
     true  -> core_banned_words:add_banned_word(Word, AdminId);
     false -> {error, access_denied}
   end.
 
 remove_banned_word(AdminId, Word) ->
-  case is_admin(AdminId) of
+  case admin_utils:is_admin(AdminId) of
     true  -> core_banned_words:remove_banned_word(Word);
     false -> {error, access_denied}
   end.
 
 list_banned_words(AdminId) ->
-  case is_admin(AdminId) of
+  case admin_utils:is_admin(AdminId) of
     true  -> {ok, core_banned_words:list_banned_words()};
     false -> {error, access_denied}
   end.
@@ -143,7 +143,7 @@ auto_moderate(Text) ->
 %% ============ Заморозка/разморозка =======================
 
 freeze_calendar(AdminId, CalendarId) ->
-  case is_admin(AdminId) of
+  case admin_utils:is_admin(AdminId) of
     true ->
       case core_calendar:get_by_id(CalendarId) of
         {ok, _Calendar} ->
@@ -154,7 +154,7 @@ freeze_calendar(AdminId, CalendarId) ->
   end.
 
 unfreeze_calendar(AdminId, CalendarId) ->
-  case is_admin(AdminId) of
+  case admin_utils:is_admin(AdminId) of
     true ->
       case core_calendar:get_by_id(CalendarId) of
         {ok, _Calendar} ->
@@ -165,7 +165,7 @@ unfreeze_calendar(AdminId, CalendarId) ->
   end.
 
 freeze_event(AdminId, EventId) ->
-  case is_admin(AdminId) of
+  case admin_utils:is_admin(AdminId) of
     true ->
       case core_event:get_by_id(EventId) of
         {ok, _Event} ->
@@ -176,7 +176,7 @@ freeze_event(AdminId, EventId) ->
   end.
 
 unfreeze_event(AdminId, EventId) ->
-  case is_admin(AdminId) of
+  case admin_utils:is_admin(AdminId) of
     true ->
       case core_event:get_by_id(EventId) of
         {ok, _Event} ->
@@ -198,10 +198,4 @@ target_exists(calendar, CalendarId) ->
     {ok, _} -> true;
     _ -> false
   end;
-target_exists(_, _) -> false.
+target_exists(_, _) -> false.
-
-is_admin(UserId) ->
-  case core_user:get_by_id(UserId) of
-    {ok, User} -> User#user.role =:= admin;
-    _ -> false
-  end.

src/logic/logic_review.erl

@@ -36,7 +36,7 @@ create_review(UserId, TargetType, TargetId, Rating, Comment) ->
 get_review(UserId, ReviewId) ->
   case core_review:get_by_id(ReviewId) of
     {ok, Review} ->
-      case is_admin(UserId) orelse Review#review.status =:= visible of
+      case admin_utils:is_admin(UserId) orelse Review#review.status =:= visible of
         true -> {ok, Review};
         false -> {error, access_denied}
       end;
@@ -48,7 +48,7 @@ get_review(UserId, ReviewId) ->
 list_reviews(UserId, TargetType, TargetId) ->
   case core_review:list_by_target(TargetType, TargetId) of
     {ok, Reviews} ->
-      case is_admin(UserId) of
+      case admin_utils:is_admin(UserId) of
         true -> {ok, Reviews};
         false -> {ok, [R || R <- Reviews, R#review.status =:= visible]}
       end;
@@ -95,7 +95,7 @@ update_review(UserId, ReviewId, Updates) ->
 delete_review(UserId, ReviewId) ->
   case core_review:get_by_id(ReviewId) of
     {ok, Review} ->
-      case Review#review.user_id =:= UserId orelse is_admin(UserId) of
+      case Review#review.user_id =:= UserId orelse admin_utils:is_admin(UserId) of
         true ->
           TargetType = Review#review.target_type,
           TargetId = Review#review.target_id,
@@ -159,7 +159,7 @@ can_review(UserId, TargetType, TargetId) ->
 
 %% Проверка, может ли пользователь модерировать отзыв (скрыть/раскрыть)
 can_moderate_review(UserId, ReviewId) ->
-  case is_admin(UserId) of
+  case admin_utils:is_admin(UserId) of
     true ->
       true;
     false ->
@@ -200,12 +200,6 @@ target_exists(calendar, CalendarId) ->
   end;
 target_exists(_, _) -> false.
 
-is_admin(UserId) ->
-  case core_user:get_by_id(UserId) of
-    {ok, User} -> User#user.role =:= admin;
-    _ -> false
-  end.
-
 update_target_rating(event, EventId) ->
   {Avg, Count} = core_review:get_average_rating(event, EventId),
   io:format("Updating event ~p rating: avg=~p, count=~p~n", [EventId, Avg, Count]),

src/logic/logic_subscription.erl

@@ -57,7 +57,7 @@ activate_subscription(UserId, Plan, PaymentInfo) ->
 
 %% Отменить подписку
 cancel_subscription(AdminId, SubscriptionId) ->
-  case is_admin(AdminId) of
+  case admin_utils:is_admin(AdminId) of
     true ->
       case core_subscription:get_by_id(SubscriptionId) of
         {ok, _Subscription} ->
@@ -80,7 +80,7 @@ get_user_subscription(UserId) ->
 
 %% Получить подписку по ID (только админ)
 get_subscription(AdminId, SubscriptionId) ->
-  case is_admin(AdminId) of
+  case admin_utils:is_admin(AdminId) of
     true -> core_subscription:get_by_id(SubscriptionId);
     false -> {error, access_denied}
   end.
@@ -137,12 +137,6 @@ handle_expired_subscriptions() ->
 
 %% ============ Внутренние функции ============
 
-is_admin(UserId) ->
-  case core_user:get_by_id(UserId) of
-    {ok, User} -> User#user.role =:= admin;
-    _ -> false
-  end.
-
 plan_price(monthly) -> 999;      % $9.99
 plan_price(quarterly) -> 2499;   % $24.99
 plan_price(biannual) -> 4499;    % $44.99

src/logic/logic_ticket.erl

@@ -40,21 +40,21 @@ report_error(ErrorMessage, Stacktrace, Context) ->
 
 %% Получить тикет (только для админов)
 get_ticket(AdminId, TicketId) ->
-  case is_admin(AdminId) of
+  case admin_utils:is_admin(AdminId) of
     true  -> core_ticket:get_by_id(TicketId);
     false -> {error, access_denied}
   end.
 
 %% Список всех тикетов (только для админов)
 list_tickets(AdminId) ->
-  case is_admin(AdminId) of
+  case admin_utils:is_admin(AdminId) of
     true  -> core_ticket:list_all();
     false -> {error, access_denied}
   end.
 
 %% Список тикетов по статусу (только для админов)
 list_tickets_by_status(AdminId, Status) ->
-  case is_admin(AdminId) of
+  case admin_utils:is_admin(AdminId) of
     true  ->
       All = core_ticket:list_all(),
       [T || T <- All, T#ticket.status =:= Status];
@@ -63,21 +63,21 @@ list_tickets_by_status(AdminId, Status) ->
 
 %% Обновить статус тикета
 update_status(AdminId, TicketId, Status) ->
-  case is_admin(AdminId) of
+  case admin_utils:is_admin(AdminId) of
     true  -> core_ticket:update_ticket(TicketId, #{<<"status">> => Status});
     false -> {error, access_denied}
   end.
 
 %% Назначить тикет администратору
 assign_ticket(AdminId, TicketId, AssignToId) ->
-  case is_admin(AdminId) of
+  case admin_utils:is_admin(AdminId) of
     true  -> core_ticket:update_ticket(TicketId, #{<<"assigned_to">> => AssignToId});
     false -> {error, access_denied}
   end.
 
 %% Отметить тикет как решённый с примечанием
 resolve_ticket(AdminId, TicketId, ResolutionNote) ->
-  case is_admin(AdminId) of
+  case admin_utils:is_admin(AdminId) of
     true  ->
       core_ticket:update_ticket(TicketId, #{
         <<"status">> => <<"closed">>,
@@ -88,14 +88,14 @@ resolve_ticket(AdminId, TicketId, ResolutionNote) ->
 
 %% Закрыть тикет
 close_ticket(AdminId, TicketId) ->
-  case is_admin(AdminId) of
+  case admin_utils:is_admin(AdminId) of
     true  -> core_ticket:update_ticket(TicketId, #{<<"status">> => <<"closed">>});
     false -> {error, access_denied}
   end.
 
 %% Получить статистику по тикетам
 get_statistics(AdminId) ->
-  case is_admin(AdminId) of
+  case admin_utils:is_admin(AdminId) of
     true  ->
       All = core_ticket:list_all(),
       Open = length([T || T <- All, T#ticket.status =:= open]),
@@ -116,11 +116,5 @@ get_statistics(AdminId) ->
 
 %% ============ Вспомогательные функции ============
 
-is_admin(UserId) ->
-  case core_user:get_by_id(UserId) of
-    {ok, User} -> User#user.role =:= admin;
-    _ -> false
-  end.
-
 notify_admins(_Ticket) ->
   ok.